Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 374 of 425 approach to security countermeasures. Importantly, any proposed deviation from policy, should be brought to the attention of senior management, so that a decision can be made at the right level, after weighing all relevant considerations. 1088. Core elements that should form part of the patch management policy are detailed in the following sections. 46.1.1 Maintenance of an organisational-level software inventory 103 1089. The policy should require that an accurate inventory be maintained of all software packages, along with version numbers of those software packages. This inventory would help administrators better monitor and identify vulnerabilities and patches that are applicable across the organisation. 46.1.2 Vulnerability identification and patch acquisition 1090. The policy should require administrators to refer to a number of information resources in order to monitor vulnerabilities and patches that maybe applicable to the installed software systems. As each type of resource has its own specialised area, administrators need to be able to refer to more than one source for accurate and timely information on new vulnerabilities and patch releases. Common resources include product vendor websites and third-party security advisory websites (run by CERTs and security vendors. There is no evidence that any such proactive monitoring is currently carried out by IHiS, beyond rolling-out patches made available byproduct vendors for the various software systems. 46.1.3 Patching timelines 1091. Software security patches which fix security vulnerabilities and other bugs for software installed on SingHealth and IHiS issued endpoint devices (e.g. operating system software, application software) are applied to on a specific Government of HKSAR’s paper on Patch Management at p.
